SMTP AUTH checking matchers

Thu, 17 Jul 2003 08:01:24 -0700 

I just committed a new functionality that uses the new "mail attributes" feature.

It's the ability to check from within any mailet if, when SMTP AUTH is active, the 
sender user has been successfully authenticated and also his name.

The name is passed along with the mail as a mail attribute named 
"org.apache.james.SMTPAuthUser", and can be get with a command like:

        String authUser = (String) mail.getAttribute("org.apache.james.SMTPAuthUser");

If no authentication was done the command returns null.

I added two matchers that do already such work: SMTPAuthUserIs and SMTPAuthSuccessful.

I was since long time waiting for this functionality: until now I have been defining 
in my production config.xml some "restricted use" addresses (as company wide 
distribution lists) as having a domain name not listed in <servernames> just to 
enforce authentication (for example "[EMAIL PROTECTED]", where "internal.use" does not 
exist): remember, the "SenderIs" and "SenderHostIs" checks can be forged by anyone - 
imagine a spammer spamming to all my users in a single shot. Now it is possible to 
attain a higher security using my true domain name.

I understand that we might need to do some CVS juggling, to better tag the old code 
(perhaps the Mailet API). But as I'm going away for a long weekend (until Monday) I 
just wanted to turn it in before leaving.

I hope that others will consider this useful.

A second more general topic regarding mail attributes: as I just said I've used an 
attribute named "org.apache.james.SMTPAuthUser", defined in SMTPHandler and in two new 
matchers using a "private final static String" constant in each of them (and using the 
constant name instead of the string - 
mail.getAttribute(SMTP_AUTH_USER_ATTRIBUTE_NAME)):

    private final static String SMTP_AUTH_USER_ATTRIBUTE_NAME = 
"org.apache.james.SMTPAuthUser";

It would be better to start using a "org.apache.mailet.Attributes" class in v3 and a 
"org.apache.james.util.Attributes" class in v2, similar to the RFC2822Headers class, 
just to hold any such new attribute name constant and reference it from everywhere. Or 
perhaps something else.

What is your suggestion about all this?

Vincenzo


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to